A flaw in software made by BlackBerry has potentially left certain medical devices vulnerable to hacking, yet the company reportedly chose to keep quiet about the problem for months.
Best known for its old-school smartphones, BlackBerry has become a major supplier of software for industrial equipment, including QNX, which powers a variety of critical infrastructure, including factory machinery and medical devices.
FDA issued a notice Tuesday about cybersecurity vulnerabilities with a real-time operating system (RTOS) designed by QNX and owned by BlackBerry. These vulnerabilities may introduce risks for certain medical devices, although the agency said it is not currently aware of any confirmed adverse events related to these vulnerabilities.
FDA said manufacturers are assessing which medical devices may be affected by the BlackBerry QNX cybersecurity vulnerabilities, evaluating the risk, and developing mitigations that may include software patches from BlackBerry. The agency is directing all questions related to this issue to the Cybersecurity and Infrastructure Security Agency (CISA).
According to a notice from CISA, BlackBerry publicly disclosed Tuesday that its QNX RTOS is affected by a BadAlloc vulnerability—CVE-2021-22156. BadAlloc is a collection of 25 vulnerabilities affecting multiple RTOS's and supporting libraries. A remote attacker could exploit CVE-2021-22156 to cause a denial-of-service condition or execute arbitrary code on affected devices, the cybersecurity agency noted. While the agency said it is not currently aware of active exploitation of this vulnerability, a hacker could potentially gain control of highly sensitive systems because of the types of products using the BlackBerry QNX RTOS.
Did BlackBerry keep customers in the dark?
Perhaps the more serious concern regarding this news is that BlackBerry allegedly waited until this week to publicly disclose the problem, when other software companies affected by BadAlloc revealed the flaws in May, after Microsoft security researchers discovered the vulnerability in late April.
According to a Politico report published Tuesday, which cited two unnamed "people familiar with discussions between BlackBerry and federal cybersecurity officials, including one government employee," the company initially denied that BadAlloc impacted its products at all. Later, the company reportedly resisted making a public announcement, even though it couldn’t identify all of the customers using the software.